SPF DNS lookup limit with mx: mechanisms #45
Description
Hi,
I have run into a problem with the SPF validation. aboutmy.email seems to count MX lookups wrong. For instance, if I send from a domain with "v=spf1 mx -all" as its SPF record and a single MX Record, aboutmy.email reports 2 DNS lookups. To me, this violates RFC 7208 Section 4.6.4, which states:
When evaluating the "mx" mechanism, the number of "MX" resource
records queried is included in the overall limit of 10 mechanisms/
modifiers that cause DNS lookups as described above. In addition to
that limit, the evaluation of each "MX" record MUST NOT result in
querying more than 10 address records -- either "A" or "AAAA"
resource records. If this limit is exceeded, the "mx" mechanism MUST
produce a "permerror" result.
implying that the A/AAAA Lookup for the hostname the MX points to should not count towards the 10 lookup limit.
Other SPF validation tools (like from Vamsoft or LearnDMARC) seem to agree with this, and only report 1 lookup. For an SPF Record with 10 lookups (and at least one mx: mechanism), aboutmy.email then falsely reports a permerror, while the other tools report no error.